EFTM

We’re getting a picture of what went wrong with Census 2016 Online

It’s a comedy of errors and I doubt that’s the last time you’ll hear that line – that’s what seems to have contributed to the massive failure on Tuesday night of the online 2016 Census. What’s clearer than ever is the ABS failed to put in place strategies to avoid this all happening.

Patrick Gray is the host of the podcast Risky Business focussed on IT security companies and issues. He has revealed a large amount of information through a series of tweets today which points to massive failures by the ABS and it’s IT providers on and leading up to Tuesday Night.

You see, sometimes we dumb down language on complex issues and a router is common language in Australian homes so perhaps easier than explaining what a Firewall is and does.

Rebooting a piece of hardware is not uncommon. There is normally a secondary bit of kit that will take the load while that system returns to a working state. From the tweets above it seems the setup or configuration if you want to see it that way (referred to above as the “ruleset”) was not up to date on the secondary firewall – and thus, it was not able to cope or perform as it should.

It gets better – Remember how the ABS detected Denial of Service (DDoS) attacks early in the day, and put in place “Geoblocking” to prevent any overseas access to the service?

Also, relying exclusively on geoblocking from your ISP instead of actual, you know, REAL DDoS mitigations is also pretty fail.

There are real-world DDoS mitigation solutions available, and in use widely, the above tweets indicate those were not in place at the ABS. Likewise, the internet provider who delivers the traffic to your servers can play a role – it appears likely that Telstra Enterprise offered GeoBlocking services to the ABS but they were declined.

And the most curious part?

The funniest part? They detected exfil, thought the DDoS was a distraction. That’s when they pulled the pin.

Exfil refers to the extraction of data – that is, possible hacking. When a hacker extracts data from a server it is called Exfil and it appears some alarms went off relating to this, yet it was – as we now know – what the Prime Minister was referring to as a “False Positive”.

Quite possibly, the reason this website has now been down for well over 40 hours is due to the Defence Department investigating that “false” alarm relating to “exfil”.

This explains in a small part why the ABS made the decision to bring the website down. It doesn’t explain why they haven’t restored the service yet.

It’s all too confusing to be real. We’re not being told the whole story here and while the Prime Minister is banging on about being “straight with the Australian people” we’re getting bugger all of that – other than him being very frank about his disappointment with the ABS and IBM.

I’m sorry, but anyone involved in the implementation of the 2016 e-Census at the ABS needs to be given their marching orders, unless they can start to show us how they tried to say it was going to fail, or they tried to suggest stronger DDoS prevention measures.

The ABS simply cannot be trusted to implement this large-scale online event. And if IBM and the other companies involved in the implementation think they get off lightly then think again – It does not take a mathematician to work out just how big this event was going to be. It also does not take a degree in statistics to determine that this huge all of nation event was going to be a target for any sort of cyber attack. Of course you’re going to target something that is going to cause the greatest disruption.

That those parties be they ABS employees or contracted private businesses didn’t flag these issues and attempt to put in place mitigation strategies is the true failure of the 2016 Census.

The real outcome of the 2016 Census is we have to scrap it.

2.3million forms have been submitted online. Another 3 million or more are coming back in paper form. That’s 5.3 million. Prior to the Census the ABS said it was predicting 15 million online submissions, but even if it’s only 5 million still to come back – all the door knocking in the world won’t get everyone off their bums and online to give it a whirl – we had the motivation, we had the push to do it – and it failed.

If the process continues and what we get looks anything like the expected snapshot of Australia I’ll be amazed.

The whole thing needs to be scrapped, and as painful as this is for me to say, we’re going to have to go back to the paper forms.

It’s going to take a very honest and plain speaking explanation of these events to even begin to restore Australians faith in the online census, let alone any future all-of-nation government operations.

Again, if the PM is trusting his own bureaucrat Alastair MacGibbon who advises him on Cyber matters with an investigation into these events, one hopes he takes a corporate and commercial view of things.

In the corporate world, excuses aren’t allowed, and in my view someone with broad commercial experience and public service knowledge should be in at the ABS asking the simple and the advanced questions to determine what the hell is going on.

2 Comments

I think part of it was the way ABS in the days before were highlighting the fines which scared a lot of people thinking their fines will srart on Wenesday. I had a few people tell me this.
Before the disaster, the ABS were not reassuring people about the fines and they probably didn’t expect everyone to try and complete it all on one day.
The reason the tax system works is we have a few months to do it.
People didn’t understand the snapshot concept of statistics and thought they did it all on one night.
I don’t really belive that DDOS either, they were poorly prepared on the backend. The DDOS is a convenient fiction.
several million customers would look like a DDOS.